Published: 11 Feb 2020
Gordon McNeil, CQP MCQI, IRCA Principal Auditor, explains the importance of second-party audits, and the role that accreditation and certification can play
Certification to the ISO 9001 standard is often a minimum customer requirement for external product and service providers and their sub-tiers. As organisations seek to identify, minimise and mitigate supply chain risk, there is an increasingly heavy reliance upon such a certificated management standard to assist with this, along with the independent assessments carried out by certifying bodies (CB).
Auditors who spend most of their time carrying out second-party audits on behalf of their employer, will know that certification is by no means a silver bullet. After all, if having certification resulted in continual compliance to the standard, audits would not be necessary, and the standard would not mandate internal auditing.
The diagram in figure 1 (below) shows the results of data spanning a six-year period (2014 to 2019), resulting from a total of 100 customer audits of suppliers to a defence contractor. The reason this period was chosen was in order to capture audits carried out by a dedicated supply chain quality team working for the customer, ensuring consistency of the process. The data for third-party audits (captured by certifying bodies) was obtained by reviewing the audit reports of those same suppliers at the time of carrying out the customer audits.
The two ISO 9001 clauses selected from the findings of these 100 audits: ‘8.2 Requirements for products and services’ and ‘8.4 Control of externally provided processes, products and services,’ are due to their importance to the customer, and because of the frequency with which they were found not being implemented in line with the ISO 9001 standard. The non-conformities raised during the time of ISO 9001:2008 have been converted to the equivalent ISO 9001:2015 clauses.
With regards to the quantitative data (see Figure 1), there are significant instances of non-conformity from a customer’s perspective. Almost one third of the second-party audits carried out during this period found the suppliers’ review of contracts and customer requirements to fall short of compliance with the standard, and over half of second-party audits did not adequately demonstrate control over their supply chain. However, when looking for the equivalent evidence from third-party audits, these were only zero and three per cent, respectively. It is unclear at this time why such discrepancies exist, and it is hoped a wider audience may generate discussion around possible causes and potential solutions.
The significance of these potential risks should not be underestimated. Having recognised that the outsourcing of products and services introduces additional risk, regulators and authorities are also taking a keen interest in operators’ supply chains.
In light of these findings, you may wish to consider the following:
- Does an audit by an ‘interested party’ introduce bias?
- Does auditing as a paid service, reduce objectivity?
- Is there sufficient oversight by accreditation bodies?
- Would ISO 9001 benefit from a clause on external audit in addition to internal audit?
- Should the management review outputs be more explicit and in-line with management review inputs?
- Is there a tendency to associate audit results in management review inputs only with internal audits?
If QMS certification continues to be the basis for supplier approval for many organisations, I suggest customers need to supplement this with continued vigilance and targeted surveillance activities, perhaps by including second-party audits. The two clauses discussed above highlight examples of where risks exist for customers and where interpretation of the ISO 9001 standard can either identify them or not, depending on viewpoint.
Advantages of second party audits
Second-party audits are a valuable tool, strengthening an organisation’s supply chain, verifying that current or proposed suppliers have the capability to meet or exceed their customer’s requirements. By the very act of outsourcing product or service, an organisation relinquishes some degree of control; it is imperative that this risk is managed.
The emphasis placed on risk-based thinking and meeting customer requirements by the latest ISO 9001 standard can only be a positive step. However, the data suggests that there is more work to be done to ensure all auditors interpret compliance to the standard in the same way.